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Abstract. We show that many quadratic binomial functions of the form 
ca;2'+2' + da;2"+2'' (c, d £ GF(2"')) are not APN infinitely often. This is 
of interest in the light of recent discoveries of new families of quadratic 
binomial APN functions. The proof uses the Weil bound from algebraic 
geometry. 

1 Introduction 

Let K := GF{q) be the finite field with q elements. Let n be a positive integer, 
and let L be an extension of K of degree n. We consider polynomials with 
coefficients in as polynomial functions on L. Let / e K[x\. The function 
/ : L — > L is called perfect nonlinear (PN) on L if for every a L* , b € 
there is at most one solution x g L to the equation 

f{x + a)^f{x) = b. (1) 

There are no perfect nonlinear functions on fields of characteristic 2, since when- 
ever a; is a solution to ([1]), then so is a; + a. If for every a G L*, b G L, there are 
at most two solutions x G L to ([1]), then we say that / is almost perfect non- 
linear (APN) on L. Due to the connections to coding theory and cryptography, 
APN functions over fields of characteristic 2 are more widely studied. For the 
remainder we assume that q = 2™ for some positive integer m. 

An equivalent definition is to say that a function / is APN on L if the set 

Da^{fix) + f{x + a):xeL} 

is as large as possible (namely q'^/2) for every nonzero a £ L. Da is called the 
differential of / at a. By definition, an APN function provides best possible 
resistance to a differential attack when used as an S-box of a block cipher, since 
then the plaintext difference a = x -\- y yields the ciphertext difference b = 
f{x) + f{y) with least probability. 

Until 2006, the list of known affine inequivalent APN functions on K = 
GF{2"^) was rather short: 
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exponent d 


constraints 




Gold 


2'' + 1 


(r, to) — 1 


[28, 33 


Kasami- Welch 


22r _ 2'- + 1 


(r, to) = 1, to odd 


[29 


Welch 


2'- + 3 


n = 2r + 1 


[20 


Niho 


2r ^ 2'~/2 - 1 

2r _^ 2(3'^+l)/2 - 1 


TO = 2r + 1, i even 
TO = 2r + 1, i odd 


[21. 


Inverse 


22r _ 


TO = 2r + 1 


[13"34J 


Dobbertin 


24r ^ + 2^"^ + 2"^ - 1 


TO = 5r 


[22 



It was conjectured that the list was complete, up to equivalence. Motivated 
by this question, several authors have considered when a linear combination of 
Gold functions could be APN. In [5] the authors show that a polynomial of the 
form 



/(^) 



e K[x], 



J C N, with at least two nonzero fj is not APN on K (and therefore not on any 
extension L of K). The main result relies on proving that the polynomial 



fix) 



is a permutation polynomial on K. While the authors in [S] use Hermite's cri- 
terion to establish the permutation property, in fact this was proved sometime 
before in [35] by different techniques. In any case, this method cannot be ex- 
tended to more general quadratics, with exponents of the form 2-' + 2'' instead 
of 2-' + 1. It is this more general form of exponent that we will consider in this 
paper. We will study when a linear combination of two Gold functions with these 
more general exponents can be APN. 

This case with more general quadratic exponents is more interesting, because 
such functions can indeed be APN. In [25], the first example of an APN function 
not equivalent to any of the above list appeared. The function 



x^+ux^^ G GF{2^")[x], 



(2) 



where u G ujGF{2^)* U uj^GF{2^)* and w has order 3 in GF{2^°) is APN on 
GF{2^^). This function has the additional property of being crooked. The func- 
tion / is called crooked if forms an afhne hyperplane over GF{2). This will 
certainly be the case for any APN function / for which f{x) + f{y) + f{x + y) 
is Gi^(2)-bilinear, in which case / is called a quadratic APN function. Crooked 
functions have connections with other combinatorial objects, such as distance- 
regular graphs [17ll8j . It is now known that all crooked monomials or binomials 
are quadratic |6l30j . 

Since the emergence of this first sporadic example, there are now several more 
known infinite families of inequivalent APN functions. 







constraints 




(1) 




m — rk ^ {S/c, 4/c}, (r, s) = (5, /c) — (r, A;) = 1, 

j'\(h-L. o\ C\r\c\ 11 ic p\ 9^ — 1 -fVl DOWPr ITl 




(2) 




m = 3/c, (3, s) = (s, fc) = (3, k) — I, uv ^ 1 
3|(fc + s), and u is a 2*^ — 1-th power 




(3) 


+ E^Zlr,x^'"'^'' 


m = 2k, rj e GF(2'=), 
6,c^ GF(2'=) 


m 


(4) 


+ Tr{x-') 




m 


(5) 


rj/C rj — A;_i_rjfC + S 9^_L1 Q ^ + ^ 1 Q S 


m = 3k, (3, s) = (s, k) = (3, fc) = 1, 3|(fc + s), 
u primitive and v e GF{2'^) 


[8] 


(6) 


(jta (J— fcirjfc + S 0'^_|_1 ~ 1 1 

-{-wu'^^-^'^x'^^^^-^'^' 


ra = 3k, (3, s) = (s, fc) = (3, k) = 1, 3|(fc + s), 
u primitive and w,v € GF{2''), wv ^ 1 


[8J 



Observe that the new famiUes are aU quadratic APN functions, and have 
exponents of the more general form 2^ + 2^ . This is partially explained by the 
fact that proving the APN property for quadratics seems to be easier than for 
arbitrary polynomials. Further, at the time of writing, not a single example of a 
non-monomial non-quadratic APN function is known. 

Family (1) generalizes a second example given in [25], for the case to = 12. 
Family (2) contains Family (1) as a subclass for the case m = 3k when u = 0. 
Family (6) contains Family (5) as a subclass when w = Q. Most of these families 
include some of the inequivalent polynomials listed in [TH]. In fact Family (2) 
(with Ti = 0) contains a class equivalent to the trinomial family given in [S]. In 
the same paper, based on a construction presented in [19] . the authors present 
a family of hexanomials on GF{2'^^): 

2' I 2*= I 2' + '"\ I 2V 2*= 2'" I 7 2'+''\ , 2' + *+2'' 

x[x + X + cx ) + X [c X + bx ) + X 

with fc > 3, {i, fc) = 1, 5 ^ GF{2^), and show that such a hexanomial is APN as 
long as 

p{x) = + cx^' +c^\ + l 

is irreducible over GF{2'^^). It is not clear that the polynomial p{x) can always 
be shown to be irreducible over GF{2^^) for some choice of c. For this reason 
we do not yet classify it as an infinite family of APN functions. However, the 
authors of [5] have checked by computer that for 6 < m < 26, several such c 
exist (about 3/10 of all field elements). 

An important component of the study of APN functions is the notion of 
equivalence of APN functions. The most prominent of these relations are ex- 
tended affine equivalence (EA) and CCZ-equivalence [15]. A pair of functions 
are EA equivalent if one can be obtained from the other by affine permutations; 
more precisely, / = ea 9 if there exist affine permutations Ai , A2 and an affine 
map A satisfying / — AiogoA2+A. If / =ccz g then the graph of / can be ob- 
tained from the graph of g by an affine permutation. CCZ-equivalence generalizes 
affine equivalence and can be expressed in terms of coding theory. In fact two 



functions are CCZ -equivalent if and only if some corresponding linear codes 
are equivalent (cf |7I19| V CCZ-equivalent functions have the same differential 
uniformity (which is 2 for APN functions) and the same nonlinearity and hence 
offer the same resistance to linear and differential attacks. In general, proving 
CCZ-inequivalence is very difficult and in several instances we rely on computing 
power to return inequivalent functions from different families. Although typical 
computations in establishing CCZ-equivalence become intractable even for rel- 
atively small values of m, a recent approach (see |8ll6j for further details) has 
shown that Families (6) and (7) are CCZ-inequivalent to any previously known 
families (working over GF{2^'^)). 

Recall that K = GF{2"^). For each family listed above, there is a functional 
(or equational) relationship between the parameter m and the parameters fc, s 
etc. appearing in the function. In other words, the form of the function depends 
on m. This includes the -I- Tr(x^) function, since the trace term depends on 
m. This is not the case for the Gold and Kasami- Welch functions; any fixed Gold 
or Kasami- Welch is APN on infinitely many extensions K = GF{2). We will 
say that a function / that is defined over K is APN infinitely often if / is APN 
on K and APN on an infinite number of extensions of K. One way to tackle the 
classification problem of APN functions is to determine classes of APN functions 
that are not APN infinitely often. This problem has been studied for monomial 
functions in [31' and '32] , and for arbitrary polynomials more recently by Rodier 
[36j . We take this approach in this paper, focussing on quadratic binomials. All 
approaches to this invoke the Weil bound and its generalizations. 

We will show that many classes of quadratic binomials defined on K are 
not APN infinitely often. A summary of our results is in Corollary [H One con- 
sequence of our results is that the APN binomials of Family (1) are not APN 
infinitely often, for i > 1. Using Frobenius arguments and singularities of a curve, 
we also show that the sporadic APN polynomial + ux^^ E GF{2^'^)[x] is not 
APN infinitely often. 

We conjecture that the Gold and Kasami- Welch monomial functions are the 
only APN functions that are APN infinitely often. 

2 The Weil Bound 

A theorem of Weil gives an upper bound on the number of rational points of an 
absolutely irreducible curve |37j . In fact there have been a number of improve- 
ments to this bound since (see |27I33| ). However, for the purposes of this paper, 
we only require the fact that the number of rational points over L — GF{q") of 
an absolutely irreducible curve exceeds its degree for sufficiently large n. 

Theorem 1. \33}j Let A{x^y) he an absolutely irreducible polynomial of degree 
d with coefficients in K = GF{q). Then the number of points Nn on the affine 
curve A{x, y) — over L = GF{q"') satisfies 



|^n-(9" + l)| <2(d-l)(d-2)Vg^-FCd, 



where d denotes the degree of A(x,y) and Cd is a constant that depends only on 
d. 



Corollary 1 Let G{x, y) G K[x, y\ have an absolutely irreducible factor in K[x,y\. 
Then G{x, y) has rational points over L off the line x = y for all n sufficiently 
large. 

Proof: Let A{x,y) be an absolutely irreducible factor of G{x,y) in K[x,y] and 
suppose that A{x,y) has degree d. Then there are at most d points {x,y) on 
A{x, y) with x = y. From the Weil bound, for n sufficiently large, the total 
number of rational points of the affine curve A{x,y) = exceeds d, which is 
the upper bound of the number of rational points of A{x, y) = on the line 
X — y. □ 

We apply this result as follows. Given a function / on L, define 

Af{x,y) -.^ fix + y) + fix) + fiy). 

Suppose that / is quadratic. Then clearly A{a, a) — A(0, a) — for all a £ L, 
so / is APN on L if and only if Z\(a;, y) has no rational points over L off the line 
X = y. Therefore, in light of Corollary [H we will study / for which Af{x, y) has 
an absolutely irreducible factor. Such / will not be APN infinitely often. 

3 Quadratic Binomials 

We will show that many binomial quadratic functions of the form cx"^ + 
dx"^ """^ (c, d G K) are APN on at most a finite number of extensions of K. 

Observe first that every quadratic binomial in K[x\ is affine equivalent to a 
function / of the form 

for some nonzero 5 in if, where i>l,i>l, s>0. Then 
Aj{x,y) ■■^f{x + y) + f{x) + f{y) 

2* I 2* I r/ 2* I 2S2° 

= x y + xy + d(x y + xy ) . 
When s = 0, for any x £ L* , Af(x,a) — Q if and only if 

xa 

This equation has only the solution a; = a in L iff ~^ +6x'^ is a permutation 
polynomial on L, which is false by the result of [5] mentioned in the introduction. 
We deduce that / is not APN on K (or any extension) if s = 0. We therefore 
assume for the remainder that s > 0. 



Theorem 2 Define F{x, y) by 

F{x,y) := = x^'-^+y^''^+5{xyr-\x^'-^+y^'-^r. (3) 

xy 

If F{x, y) has an absolutely irreducible factor over K , then f{x) is not APN 
infinitely often. 

Proof: If F{x, y) has an absolutely irreducible factor over K, then f{x) is not 
APN on L for all n = \L : K] large enough by Corollary [T] and the subsequent 
remarks. □ 

We next observe some obvious factors of F{x, y). 

Lemma 1. Let d — gcd{i,t). Then x^"^^^ + y^''^^ divides F{x,y). 

Proof: Let a G be nonzero. Observe that F{x, ax) = 0. This means that 
y — ax divides F{x, y), and so 

Yl {y- ax) ^y^'-^ +x^'-^ 

divides F{x,y) in K[x,y]. □ 

Let U{x,y) := x^''^^ + y^''~^ be this obvious factor, and define 

Hix,y) :^§^. 

U{x,y) 

Then 

= l[ix + ay) +Sixy)^'-'l[ix + Py) J] i^ + ivf^' 

= i?2i-2<' + -f^2*+»+2=-2<'-li (4) 

with I = GF{2')\GF{2'^) and B = GF{2*)\GF{2'^). The polynomials i?2--2<i, 
ff2*+'+2'-2''-i G are homogeneous of degrees 2^ — 2'' and 2*+'' + 2'' — 2'' — 1 

respectively. 

We conjecture the following: 

Conjecture 1 The polynomial H{x, y) is absolutely irreducible. 

Any f{x) for which Conjecture 1 holds is not APN infinitely often, by The- 
orem [21 



We have strong results in support of our conjecture. We will show that if 
i does not divide t, which is equivalent to the two homogeneous polynomials 
H2i^2'^ Slid iJ2*+s+2=--2''--i (that H is the sum of) being non-constant, then H 
is absolutely irreducible. Since s > 0, if iJ is not a sum of two non-constant 
homogeneous polynomials then i72*-2'' = 1 and d = i. We are not able to prove 
this second case completely, however we derive some constraints on i,t,s from 
which we can deduce that H is absolutely irreducible in many cases. 

3.1 The Case i Does Not Divide t 

We first prove a general lemma. 

Lemma 2. Let k be a field. Let G{x,y) S be the sum of two nonconstant 

homogeneous polynomials, i.e., G — Ga + Gt where Gi is homogeneous of degree 
i, and 1 < a < b. Suppose {Ga, Gb) = 1 and either Ga or Gb factors into distinct 
linear factors over k. Then G is irreducible over k. 

Proof: Suppose not, say G = WV . Write W and F as a sum of homogeneous 
parts, say 

G^wv^{w, + w,+i + ■■■ + Wr){Vf + y^+i + ■ • • + Vs). 

Note that G cannot have a homogeneous factor as {Ga,Gb) = 1, so we have 
We 0, Wr ^ 0, Vs ^ 0, Vf ^ 0, e < r, f < s. Then a ^ e + f, d = r + s, and 
a<d-2. 

Suppose first that Gb has distinct linear factors, which implies {Wr, Vg) — 1. 
The term of degree 6 — 1 in G is = WrVs-i + Wr^iVg, so Wr divides Wr-iVg. 
As {Wr, Vs) = 1 we have Wr\Wr~i which is impossible by degree considerations 
unless Wr-i — 0. Similarly Vs~i = 0. Applying this argument successively to 
terms of degree 6—2, 6 — 3, we obtain Wj — for all j < r (and Vj = for 
j < s), which means that W is homogeneous, a contradiction. 

Secondly we consider the case that Fa has distinct linear factors, which im- 
plies {We,Vf) = 1. The degree a + l term in F is = WeVf+i + We+iVf, 
so We divides We+iVf (and Vf divides WeVf+i). Since {We,Vf) = 1 we get 
We\We+i (and V/lVf+i). Next (assuming b > a + 2) the degree a + 2 term is 
= WeVf+2 + We+iVf+i + We+2Vf, SO We\We+2- Continuing in this way we 
obtain We\Wj (and for all j. But then W^ is a homogeneous factor of F, 

a contradiction. □ 

Theorem 3 Let F{x,y) e K[x,y] be defined as in Equation (0). If i does not 
divide t then Conjecture 1 holds. 

Proof: Let d — {i,t). Then F{x,y) — {x'^'^^^ + y^''^^)H{x,y), where H{x,y) = 
i?2'-2'' +-ff2*+»+2»-2<i-ii is defined as in (2). If neither iJ2i-2'' or 7J2*+=-i-2=-2''-i is 
constant, then they are relatively prime and 7?2'-2<i is a product of distinct linear 
factors. We may apply Lemma [2] and conclude that H is absolutely irreducible. 



Our assumption that s > means that -ff2*+=+2»-2''-i is not constant (which 
occurs if and only if d = t and s = 0). Finally we note that il2*-2<i is constant 
if and only if d = i. 

□ 



3.2 The Case i Divides t 

For i a divisor of t, H{x,y) has the form 1 + -ff2='+*+2»-2»-i(2^j y)- We apply 
singularity analysis and a little Galois theory to establish absolute irreducibility. 
It is straightforward to show that the afhne curve H{x, y) is non-singular. We 
consider the homogenized projective curves H{x,y,z) = 0, U{x,y,z) = and 
F{x,y,z) = where 

H{x, y, z) = 2;2'+'+2°-2*-i + iJ2t+=+2»-2'-i(a;, y), 

U{x,y,z) = U{x,y) as U{x,y) is already homogeneous, and 

F{x,y,z) = U{x,y,z)H{x,y,z). 

Let mp{F) denote the multiplicity of the point P on the curve F, etc. 

Lemma 3. Continue the above notation. The points in ¥'^{K) on H{x,y,z) are 
of the types given in the following table. 



p 




multiplicity 


[a 
[1 
[1 
[0 


6 
b 
b 
1 


1] 
0] 
0] 
0] 


H{a,b,l) = 
6 e GF{q') 
b G GF{q*)\GFiq') 


1 

2** - 1 

2« 
2« - 1 



Proof: Let P=[l:b:0],beK. Then 

F{x + l,y + b, z) = U{x + l,y + b,z)H{x^-l,y + b, z) 
= Fq + F\ + F2 - ■ ■ 
= HoUo + {HoUi + HiUo) + ■ ■ ■ 

and on the other hand 

F{X + l,y + b,z) = ^2*+=+2»-2*-l (^(^ + i)2*-l + + ^)2^-l^ 

+ 6{x + lf-\y + bf-' ((x + if-' + iy + bf-') 
Now equating coefficients gives 

Fo = HoUo = F{1, b, 0) = Sb^^-\l + b^'-Y 



and 



Fi=HoUi+HiUo 

Suppose that b ^0. Then we may write: 

Fi = {x + b-^y)Fo, 

F2 = {x'' + b-^xy + b-Y)Fo, 

F2s=6b^'-\x + b^'-^yf. 

It follows that, if P is a point on F, then P is singular and mp{F) = 2*. Now 
P is a point of U{x, y, z) if and only if & G GF{2^)* , in which case mp{U) = 1 
and mp{H) = 2" - I; otherwise mp(H) = 2". Finally, [1 : : 0] and [0 : 1 : 0] 
are points of H of multiplicity 2^ — 1. □ 

We next make two observations on reducibility using the Frobenius automor- 
phism. We will combine these with our singularity analysis to determine further 
conditions that guarantee the absolute irreducibility of H. 

Lemma 4. Let h{x, y, z) be an irreducible homogeneous polynomial of degree d 

over K — GF{q). with leading coefficient 1 with respect to some monomial order. 
If h has an absolutely irreducible factor with leading coefficient 1 defined over 
L = GF{q"') (and no proper subfield) then n divides d. 

Proof. Let hi be an absolutely irreducible factor of h with leading coefficient 
1 defined over L (and no proper subfield) of degree di . It follows that no Galois 
conjugate of hi is a scalar multiple of hi. The product of the Galois conjugates 
of hi , the polynomial 

h= H a{hi), 

aeGal{L:K) 

has degree ndi. Moreover, h has coefficients in K, so h divides h in K[x,y,z]. 
Since h is irreducible in K[x, y,z], h = h, so then d = ndi and the result follows. 
□ 

Lemma 5. Let h{x,y,z) be an irreducible homogeneous polynomial of degree d 
in over K = GF{q), with leading coefficient 1 with respect to some monomial 
order. Let P be a point on h of multiplicity toq, and suppose the coordinates of 
P lie in an extension of K of degree r. If h factors into n absolutely irreducible 
factors over L = GF{q"-) where gcd{n, r) = 1, then n divides mo- 



Proof. As in Lemma IH let h — hi . . . hn be the factorization of h into abso- 
lutely irreducible factors over L, where each hi has degree d/n. 

Since (r, n) = I, from the Chinese Remainder Theorem there exists an integer 
a such that a = (mod r) and a = 1 (mod n). Let a be the automorphism in 
the Galois group of GF{q^^) over K given by cr(z) — . Then a fixes GF{q^) 
element-wise and is a generator for the Galois group of L over K. Then a fixes 
P and acts transitively on the hi. It follows that P has the same multiplicity on 
each hi, and so ttiq — n ■ mp{hi). □ 

Theorem 2. Let i,t,s be positive integers with i\t. Let H{x,y) be defined as in 
(4). Suppose that H(x, y) is irreducible over K = ¥q. If either (t, 2* — 1) = 1 or 
(t — i, s) = 1 then Conjecture 1 holds. 

Proof. Of course H{x,y) is irreducible if and only if the homogenization 
H{x, y, z) is irreducible. Suppose that H{x, y, z) has a proper factorization into 
absolutely irreducible factors over L = GF{q^). Now H has the singular point 
[1:0:0] over K of multiplicity 2" — 1, so from Lemma[5]n|(2^ — 1). We must 
show that n = 1. 

H has also has singular points [1 : a : 0] with a e GF{q^) of multiplicity 2*. 
Moreover, if (i, 2^ — 1) = 1 then [t, n) — 1 &sn divides 2'' — 1. From Lemma[5]n|2'', 
which together with n|(2^ — 1) forces n — 1 and so H is absolutely irreducible. 

For the last part, observe that as in the proofs of Lemma [4] and Lemma O n 
divides 2"+*-h2"-2*-l, the degree of 7J. Then n divides 2"+*-2* = 2*(2^+*-*-l), 
and since n is odd, n|(2*+*~* — 1). If {t — i, s) = 1, this again forces n = 1. □ 

We now summarize all our results. 

Corollary 4 Suppose that f — + (5x-^''^'+^^ where S & K , i,t, s > 0. Let 

H(x,y) be defined as in (4). Suppose that any of the following conditions holds: 

1. i does not divide t, 

2. (t, 2" — 1) = 1 and H{x, y) is irreducible over K , 

3. {t ~ i, s) ~ 1 and H{x, y) is irreducible over K . 

Then f is not APN infinitely often. 

Finally, we present some applications of our results. 

Example 1. We now prove that the binomials of Family (1) in the introduction 
are not APN infinitely often. For r = 3, 4, the binomials of (lOjllj in Family (1), 
namely, 

X ^ -\- UX ^ , 

defined onK = GF{2''^) are APN on K if (i, k) = (r, k) = (r, i) = 1 and i + k = 
mod r. Then i divides t = {r — l)k — i only if i = 1, so for i > 1, these binomials 
are not APN on an infinite number of extensions of K by Corollary ID 



Example 2. We now show that the sporadic quadratic binomial function of [25] : 

/ = + ux^^ e GF{2^°), 

where u£ S = loGF{2^)* U uj^GF{2^)* and w has order 3 in GF{2^°), is APN 
over at most a finite number of extensions of GF{2^^). If 

7 7 

x + y 

then Hu{ax, ay) — Hasa^i^i u), a-nd a'^'^u g S" if u G 5, so it suffices to prove that 
Hu{x,y) is absolutely irreducible for one u ^ S. Here i — 1, s — 2, and i = 3 in 
our notation. 

Let a be a root of the primitive polynomial x^" + x^ + 1, and let u — a^^**. It 
can be easily checked (using a computer) that + a^''x+ 1) is irreducible 

in K[x]. This implies that Hu{x,y) is irreducible in K[x,y]. 

The polynomial Hu{x,y) has degree 33. By Lemma |4l if Hu{x,y) is not 
absolutely irreducible then it factors in one of the following three ways: 

- 3 absolutely irreducible factors of degree 11 over GF{2^^) 

- 11 absolutely irreducible factors of degree 3 over GF(2^^°) 

- 33 absolutely irreducible factors of degree 1 over GF{2^^°). 

It is straightforward to check that (1, 0) is a point of multiplicity 3 on 
Hu(x,y). Since 11 and 33 do not divide 3, the second and third cases are not 
possible by Lemma [5] applied with r = 1, mo = 3. 

Suppose finally that Hu{x, y) factors over GF{2'^^) into 3 factors of degree 11. 
Again letting a be a root of the primitive polynomial x^^ + .t'^ + 1, and u = a"^^*, 
we checked with a computer that the polynomial Hu{x, x^ +a^x+l) G K[x\ of 
degree 63 has an irreducible factor of degree 53 in K[x\ . Since 3 is relatively prime 
to 53, this factor remains irreducible over GF{2^^), and this is not compatible 
with the assumed factorization of Hu{x, y). 
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